Why malware like the Samsam ransomware are so dangerous for hospitals?

The FBI issued a confidential urgent “Flash” message to the businesses and organizations about the Samsam Ransomware, why it is so dangerous?

It is emergency, every week security experts launch an alert on a new ransomware, the extortion practice is becoming a profitable business for criminal gangs worldwide. Recently the US and Canada issued a joint warning about the recent surge in ransomware infections. According to the Reuters, the FBI issued a confidential urgent “Flash” message to the businesses and organizations about the Samsam Ransomware, that targeted several hospitals. The law enforcement Agency also shared IoC for the Samsam threat to help organizations monitoring for infections.

The law enforcement Agency also shared IoC for the Samsam threat to help organizations monitoring for infections.

“The FBI is distributing these indicators to enable network defense activities and reduce the risk of similar attacks in the future,” the advisory said.” states the advisory.Among the victims of the Samsam Ransomware there is the MedStar non-profit group that manages 10 hospitals in the Baltimore and Washington area.The bad actors behind the attack on MedStar requested 45 Bitcoins (about US$18,500) for restoring the encrypted files.

MedStar did not pay the Ransom because it has a backup of the encrypted information, a situation rare that advantage the attackers behind ransomware-based campaigns.

The IT department of the MedStar Hospital detected the infection at an early stage and was able to stop the Samsam Ransomware from infecting internal systems.

The MedStar incident demonstrates that a proper security posture, an early response and the implementation of effective best practices like data backup are necessary steps for a right approach to prevent damage from ransomware-based attacks.

In the specific case, the Samsam ransomware is not a new threat, it has been around since last few years targeting businesses and organizations worldwide.

Samsam is considered a very interesting threat by experts because it doesn’t require the victim’s interaction.

Typical victims get a ransomware infection by clicking on a malicious link, by opening an attachment or through a malvertising, but the Samsam ransomware targets servers instead end-users.

The threat first exploits unpatched vulnerabilities in JBoss application servers by using JexBoss, an open-source penetration testing tool. Once exploited the flaws, the attackers get remote shell access to the infected servers and install the Samsam ransomware onto the targeted Web application server.

Once the server has been compromised, attackers use it to spread the ransomware client to Windows machines and encrypt their files.

“The Samas infection chain diagram illustrates how Ransom:MSIL/Samas gets into the system. It starts with a pen-testing/attack server searching for potential vulnerable networks to exploit with the help of a publicly-available tool named reGeorg, which is used for tunnelling. Java-based vulnerabilities were also observed to have been utilized, such as Java-based vulnerabilities were also observed to have been utilized, such as CVE-2010-0738 related to outdated JBOSS server applications.

It can use other information-stealing malware (Derusbi/Bladabindi) to gather login credentials as well. When it has done so, it will list the stolen credentials into a text file, for example, list.txt, and use this to deploy the malware and its components through a third party tool named psexec.exe through batch files that we detect as Trojan:BAT/Samas.B and Trojan:BAT/Samas.C.” states a blog post published by Microsoft on the threat.”

Such kind of threat is particularly insidious for any organizations, especially the ones that works directly with the public, like transportation services and hospitals.

The number of ransomware infections in the healthcare industry is rapidly increasing, the threats in many cases are able to cause the paralysis of the infrastructure with serious damages in the middle and long term.

Recently the systems at the Methodist Hospital in Kentucky that’s been infected. According to NewsChannel10, the Methodist Hospital in Henderson was hit my a ransomware that locked patients’ files and is demanding money for to regain access to them. Officials say that the hospital paid about $17,000 to those hackers for the access back to the patients’ files.

Share On

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

This site uses cookies, including for analytics, personalization, and advertising purposes. For more information or to change your cookie settings, click here.

If you continue to browse this site without changing your cookie settings, you agree to this use.AcceptRead More

Privacy and Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.